HTTP Strict Transport Security

Friday, August 27, 2010

A while ago, we talked about Force-TLS that lets sites say “hey, only access me over HTTPS in the future” and the browser listens. Well, this idea has been solidifed into a draft spec for HTTP Strict Transport Security (HSTS) and we’ve landed support for it into our source tree.

This means that HSTS will be shipped with Firefox 4, and will be deployed as soon as the next beta release.

We’re excited about this because it enables sites to easily give their users lots more protection from man-in-the-middle attacks when they’re using an untrustworthy network.

Grab a nightly build, and let us know what you think! The folks over at PayPal are serving a Strict-Transport-Security header, if you’d like to check it out.